Loading core/java/android/app/admin/DevicePolicyManager.java +2 −2 Original line number Diff line number Diff line Loading @@ -6432,7 +6432,7 @@ public class DevicePolicyManager { * broadcast when access to a key is granted. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * {@code null} if calling from a delegated certificate chooser. * @param alias The alias of the key to grant access to. * @param packageName The name of the (already installed) package to grant access to. * @return {@code true} if the grant was set successfully, {@code false} otherwise. Loading Loading @@ -6498,7 +6498,7 @@ public class DevicePolicyManager { * broadcast when access to a key is revoked. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * {@code null} if calling from a delegated certificate chooser. * @param alias The alias of the key to revoke access from. * @param packageName The name of the (already installed) package to revoke access from. * @return {@code true} if the grant was revoked successfully, {@code false} otherwise. Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +12 −7 Original line number Diff line number Diff line Loading @@ -5560,7 +5560,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { public boolean hasKeyPair(String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(callerPackage); final boolean isCredentialManagementApp = isCredentialManagementApp(caller); Preconditions.checkCallAuthorization(canManageCertificates(caller) Preconditions.checkCallAuthorization(canInstallCertificates(caller) || isCredentialManagementApp); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization( Loading @@ -5582,17 +5582,22 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { }); } private boolean canManageCertificates(CallerIdentity caller) { private boolean canInstallCertificates(CallerIdentity caller) { return isProfileOwner(caller) || isDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_INSTALL); } private boolean canChooseCertificates(CallerIdentity caller) { return isProfileOwner(caller) || isDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_SELECTION); } @Override public boolean setKeyGrantToWifiAuth(String callerPackage, String alias, boolean hasGrant) { Preconditions.checkStringNotEmpty(alias, "Alias to grant cannot be empty"); final CallerIdentity caller = getCallerIdentity(callerPackage); Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canChooseCertificates(caller)); return setKeyChainGrantInternal(alias, hasGrant, Process.WIFI_UID, caller.getUserHandle()); } Loading @@ -5602,7 +5607,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { Preconditions.checkStringNotEmpty(alias, "Alias to check cannot be empty"); final CallerIdentity caller = getCallerIdentity(callerPackage); Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canChooseCertificates(caller)); return mInjector.binderWithCleanCallingIdentity(() -> { try (KeyChainConnection keyChainConnection = Loading Loading @@ -5632,7 +5637,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final CallerIdentity caller = getCallerIdentity(who, callerPackage); Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_CERT_INSTALL))); || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_CERT_SELECTION))); final int granteeUid; try { Loading Loading @@ -5673,7 +5678,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public ParcelableGranteeMap getKeyPairGrants(String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(callerPackage); Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canChooseCertificates(caller)); final ArrayMap<Integer, Set<String>> result = new ArrayMap<>(); mInjector.binderWithCleanCallingIdentity(() -> { Loading Loading @@ -5733,7 +5738,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ if (hasProfileOwner(caller.getUserId())) { // Make sure that the caller is the profile owner or delegate. Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device and as such // the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())) { Loading Loading
core/java/android/app/admin/DevicePolicyManager.java +2 −2 Original line number Diff line number Diff line Loading @@ -6432,7 +6432,7 @@ public class DevicePolicyManager { * broadcast when access to a key is granted. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * {@code null} if calling from a delegated certificate chooser. * @param alias The alias of the key to grant access to. * @param packageName The name of the (already installed) package to grant access to. * @return {@code true} if the grant was set successfully, {@code false} otherwise. Loading Loading @@ -6498,7 +6498,7 @@ public class DevicePolicyManager { * broadcast when access to a key is revoked. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * {@code null} if calling from a delegated certificate chooser. * @param alias The alias of the key to revoke access from. * @param packageName The name of the (already installed) package to revoke access from. * @return {@code true} if the grant was revoked successfully, {@code false} otherwise. Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +12 −7 Original line number Diff line number Diff line Loading @@ -5560,7 +5560,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { public boolean hasKeyPair(String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(callerPackage); final boolean isCredentialManagementApp = isCredentialManagementApp(caller); Preconditions.checkCallAuthorization(canManageCertificates(caller) Preconditions.checkCallAuthorization(canInstallCertificates(caller) || isCredentialManagementApp); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization( Loading @@ -5582,17 +5582,22 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { }); } private boolean canManageCertificates(CallerIdentity caller) { private boolean canInstallCertificates(CallerIdentity caller) { return isProfileOwner(caller) || isDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_INSTALL); } private boolean canChooseCertificates(CallerIdentity caller) { return isProfileOwner(caller) || isDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_SELECTION); } @Override public boolean setKeyGrantToWifiAuth(String callerPackage, String alias, boolean hasGrant) { Preconditions.checkStringNotEmpty(alias, "Alias to grant cannot be empty"); final CallerIdentity caller = getCallerIdentity(callerPackage); Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canChooseCertificates(caller)); return setKeyChainGrantInternal(alias, hasGrant, Process.WIFI_UID, caller.getUserHandle()); } Loading @@ -5602,7 +5607,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { Preconditions.checkStringNotEmpty(alias, "Alias to check cannot be empty"); final CallerIdentity caller = getCallerIdentity(callerPackage); Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canChooseCertificates(caller)); return mInjector.binderWithCleanCallingIdentity(() -> { try (KeyChainConnection keyChainConnection = Loading Loading @@ -5632,7 +5637,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final CallerIdentity caller = getCallerIdentity(who, callerPackage); Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_CERT_INSTALL))); || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_CERT_SELECTION))); final int granteeUid; try { Loading Loading @@ -5673,7 +5678,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public ParcelableGranteeMap getKeyPairGrants(String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(callerPackage); Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canChooseCertificates(caller)); final ArrayMap<Integer, Set<String>> result = new ArrayMap<>(); mInjector.binderWithCleanCallingIdentity(() -> { Loading Loading @@ -5733,7 +5738,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ if (hasProfileOwner(caller.getUserId())) { // Make sure that the caller is the profile owner or delegate. Preconditions.checkCallAuthorization(canManageCertificates(caller)); Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device and as such // the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())) { Loading
